b'                        U.S. DEPARTMENT OF ENERGY\n                       OFFICE OF INSPECTOR GENERAL\n\n\n\n\n      AUDIT OF SELECTED ASPECTS OF THE UNCLASSIFIED COMPUTER\n    SECURITY PROGRAM AT A DOE HEADQUARTERS COMPUTING FACILITY\n\n\n\n\nThe Office of Inspector General wants to make the distribution\nof its reports as customer friendly and cost effective as\npossible. Therefore, this report will be available electronically\nthrough the Internet five to seven days after publication at the\nalternative addresses:\n\n          Department of Energy Headquarters Gopher\n                      gopher.hr.doe.gov\n\n      Department of Energy Headquarters Anonymous FTP\n                     vm1.hqadmin.doe.gov\n\nU.S. Department of Energy Human Resources and Administration\n                          Home Page\n            http://www.hr.doe.gov/refshelf.html\n\nYour comments would be appreciated and can be provided on the\nCustomer Response Form attached to the Report.\n\n\n\n\nReport Number:   AP-B-95D02              ADP and Technical Support Div.\nDate of Issue:   July 31, 1995           Washington D.C. 20585\n\x0cDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD\nD\nREPORT NO.                U.S. DEPARTMENT OF ENERGY               RELEASE\nDATE\n                         OFFICE OF INSPECTOR GENERAL\n\nAP-B-95-02                                                       July 31,\n1995\n_____________________________________________________________________________\n_\n\n\n\n\n          AUDIT OF SELECTED ASPECTS OF THE UNCLASSIFIED COMPUTER\n\n        SECURITY PROGRAM AT A DOE HEADQUARTERS COMPUTING FACILITY\n\n\n\n\nZDDD? ZDDDDDDD?   ZDDD? ZDDDDDDD? ZDDD? ZDDDDDDD? ZDDD? ZDDDDDDD? ZDDD?\nZDDDDDDD? ZDDD?\n@? ZY 3 ZDDD? 3   @? ZY 3 ZDDD? 3 @? ZY 3 ZDDD? 3 @? ZY 3 ZDDD? 3 @? ZY 3 ZDDD?\n3 @? ZY\n 3 3 3 3    @DY    3 3   3 3    @DY   3 3   3 3    @DY   3 3   3 3    @DY   3 3   3 3\n@DY 3 3\n 3 3 3 3 ZDD?      3 3   3 3   ZDD?   3 3   3 3   ZDD?   3 3   3 3   ZDD?   3 3   3 3\nZDD? 3 3\n 3 3 3 3 @? 3      3 3   3 3   @? 3   3 3   3 3   @? 3   3 3   3 3   @? 3   3 3   3 3   @?\n3 3 3\nZY @? 3 @DDDY 3   ZY @? 3 @DDDY 3 ZY @? 3 @DDDY 3 ZY @? 3 @DDDY 3 ZY @? 3 @DDDY\n3 ZY @?\n@DDDY @DDDDDDDY   @DDDY @DDDDDDDY @DDDY @DDDDDDDY @DDDY @DDDDDDDY @DDDY\n@DDDDDDDY @DDDY\nIMMM; IMMMMMMM;   IMMM; IMMMMMMM; IMMM; IMMMMMMM; IMMM; IMMMMMMM; IMMM;\nIMMMMMMM; IMMM;\n\x0cH; I< : IMMM; :   H; I< : IMMM; : H; I< : IMMM; : H; I< : IMMM; : H; I< : IMMM;\n: H; I<\n : : : :    HM<    : :   : :    HM<   : :   : :    HM<   : :   : :    HM<   : :   : :\nHM< : :\n : : : : IMM;      : :   : :   IMM;   : :   : :   IMM;   : :   : :   IMM;   : :   : :\nIMM; : :\n : : : : H; :      : :   : :   H; :   : :   : :   H; :   : :   : :   H; :   : :   : :   H;\n: : :\nI< H; : HMMM< :   I< H; : HMMM< : I< H; : HMMM< : I< H; : HMMM< : I< H; : HMMM<\n: I< H;\nHMMM< HMMMMMMM<   HMMM< HMMMMMMM< HMMM< HMMMMMMM< HMMM< HMMMMMMM< HMMM<\nHMMMMMMM< HMMM<\nIMMM; IMMMMMMM;   \\\\\\\\\\ \\\\\\\\\\\\\\\\\\ IMMM; IMMMMMMM; IMMM; IMMMMMMM; IMMM;\nIMMMMMMM; IMMM;\nH; I< : IMMM; :   _[[[_ [[[___[[[ H; I< : IMMM; : H; I< : IMMM; : H; I< : IMMM;\n: H; I<\n : : : :    HM<    [[[   [[[    ___   : :   : :    HM<   : :   : :    HM<   : :   : :\nHM< : :\n : : : : IMM;      [[[   [[[   \\\\\\\\   : :   : :   IMM;   : :   : :   IMM;   : :   : :\nIMM; : :\n : : : : H; :      [[[   [[[   _[[[   : :   : :   H; :   : :   : :   H; :   : :   : :   H;\n: : :\nI< H; : HMMM< :   \\[[[\\ [[[\\\\\\[[[ I< H; : HMMM< : I< H; : HMMM< : I< H; : HMMM<\n: I< H;\nHMMM< HMMMMMMM<   _____ _________ HMMM< HMMMMMMM< HMMM< HMMMMMMM< HMMM<\nHMMMMMMM< HMMM<\n\n\n\n\n     AUDIT OF SELECTED ASPECTS OF THE UNCLASSIFIED COMPUTER\n   SECURITY PROGRAM AT A DOE HEADQUARTERS COMPUTING FACILITY\n\n\n                           TABLE OF CONTENTS\n\n\n                                                                     Page\n\n                SUMMARY ....................................           1\n\n  PART I    -   APPROACH AND OVERVIEW ......................           2\n\n                Introduction ...............................           2\n\n                Scope and Methodology ......................           2\n\n                Background .................................           3\n\n                Observations and Conclusions ...............           4\n\n  PART II   -   FINDING AND RECOMMENDATIONS ................           6\n\n                Unclassified Computer Security Program at\n                a DOE Headquarters Computing Facility ......           6\n\x0cPART III D   MANAGEMENT AND AUDITOR COMMENTS ............   13\n\x0c                     U.S. DEPARTMENT OF ENERGY\n                   OFFICE OF INSPECTOR GENERAL\n                    OFFICE OF AUDIT SERVICES\n\n\n\n     AUDIT OF SELECTED ASPECTS OF THE UNCLASSIFIED COMPUTER\n   SECURITY PROGRAM AT A DOE HEADQUARTERS COMPUTING FACILITY\n\n\nAudit Report Number:   AP-B-95-02\n\n\n                             SUMMARY\n\n     The purpose of this audit was to evaluate the effectiveness\nof the unclassified computer security program at the Germantown\nHeadquarters Administrative Computer Center (Center). The\nDepartment of Energy (DOE) relies on the application systems at\nthe Germantown Headquarters Administrative Computer Center to\nsupport its financial, payroll and personnel, security, and\nprocurement functions. Our review was limited to an evaluation\nof the administrative, technical, and physical safeguards\ngoverning utilization of the unclassified computer system which\nhosts many of the Department\'s major application systems.\n\n     Our audit identified weaknesses in the Center\'s computer\nsecurity program that increased the risk of unauthorized\ndisclosure or loss of sensitive data. Specifically, we found\nthat (1) access to sensitive data was not limited to individuals\nwho had a need for the information, and (2) accurate and complete\ninformation was not maintained on the inventory of tapes at the\nCenter. Furthermore, the risk of unauthorized disclosure and\nloss of sensitive data was increased because other controls, such\nas physical security, had not been adequately implemented at the\nCenter.\n\n     Management generally agreed with our audit conclusions and\nrecommendations, and initiated a number of actions to improve\ncomputer security at the Center.\n\n\n\n                              PART I\n\n                       APPROACH AND OVERVIEW\n\n\nINTRODUCTION\n\n     The Department relies on the application systems at the\nCenter to support its financial, payroll and personnel, security,\nand procurement functions. At the time of our audit fieldwork,\nthe Center was managed and operated by The Office of Information\nTechnology Services and Operations (ITSO). In November 1994,\nsubsequent to the completion of our fieldwork, ITSO\'s computer\n\x0csecurity functions were transferred to the Systems Engineering\nGroup under the Deputy Assistant Secretary for Information\nManagement.\n\n     The objective of our audit was to evaluate the effectiveness\nof the unclassified computer security program at the Center.\nSpecific objectives included determining whether (1) computer\nsecurity procedures and practices adequately protected sensitive\ndata from unauthorized disclosure or loss, and (2) a contingency\nplan had been developed that provided reasonable assurance of the\ncontinuity of data processing support should events occur that\nprevent normal operations.\n\nSCOPE AND METHODOLOGY\n\n     The audit was performed primarily at Departmental facilities\nin Germantown, Maryland, with most of our fieldwork conducted\nbetween February 1994 and October 1994. Our review was limited\nto an evaluation of the administrative, technical, and physical\nsafeguards governing utilization of the unclassified IBM computer\nsystem which hosts many of the Department\'s major application\nsystems. A separate report will be issued on controls for the\nclassified system at the Center.\n\n     We examined (1) ITSO\'s plans and procedures for protecting\nunclassified sensitive data and operations, and (2) reports by\nthe Office of Security Evaluations and the Office of Information\nResource Management Policy, Plans, and Oversight. We interviewed\nprogram managers and staff in Departmental Headquarters to\ndiscuss the adequacy of computer security controls, monitoring,\nand training. We also inspected ITSO\'s contractor-operated\nbackup media storage facility and interviewed contractor and ITSO\npersonnel to discuss security and contingency issues.\n\n     The audit was performed according to generally accepted\nGovernment auditing standards for performance audits and included\ntests of internal controls and compliance with laws and regula-\ntions to the extent necessary to meet the objectives of the\naudit. We assessed the significant internal controls with\nrespect to the unclassified security program at the Center. Our\nassessment consisted of reviewing the administrative, technical,\nand physical safeguards governing use of the unclassified IBM\ncomputer system. Because our review was limited, it would not\nnecessarily have disclosed all internal control deficiencies that\nmay have existed at the time of our audit.\n\n    An exit conference was held with management officials from\nthe Office of Information Management on May 16, 1995.\n\nBACKGROUND\n\n     The Office of Information Technology Services and Operations\n(ITSO), under the Deputy Assistant Secretary for Information\nManagement, has responsibility for managing and operating the\nHeadquarters classified and unclassified computer-based data\nprocessing facilities, including the Center. Its functions\ninclude (1) identifying mission-supportive information processing\n\x0copportunities for DOE Headquarters offices, (2) managing\ninformation technology resource planning for DOE Headquarters,\nand (3) developing and maintaining DOE-wide classified and\nunclassified information systems under the responsibility of\nHeadquarters organizations. In November 1994, subsequent to the\ncompletion of our fieldwork, ITSO\'s computer security functions\nwere transferred to the Systems Engineering Group under the\nDeputy Assistant Secretary for Information Management.\n\n     The Center is the Department\'s central administrative\nprocessing facility. According to ITSO\'s October 1994 records,\nthe Center had computer processing equipment with an estimated\ncost of about $6.6 million. At the Center, ITSO operates three\nIBM computers that service the administrative computing needs of\nthe Department\'s Headquarters and field users nation-wide. One\ncomputer is used for processing many of the Department\'s mission-\nessential application systems. Another is used to support a\nlarge number of users with file transfer, electronic mail, and\nscheduling functions. The third computer is used for processing\nclassified data. The Center also has Hewlett-Packard computers\nwhich support the processing of accounting and financial data.\n\n     According to ITSO, about 3,600 users, of which 45 percent\nwere contractors, were provided access to the IBM computer system\ndedicated to processing the Department\'s mission-essential\napplications. These users can access the applications on the\nunclassified system through dial-up or hardwired terminals. In\naddition to providing computer processing time, ITSO offers other\nend-user computing services, including computer training and\nmicrocomputer repair.\n\n     The following major Department application systems were\nprocessed on the unclassified system at the Center.\n\n      o   The Financial Information System (FIS), which is the\n          official source of consolidated financial information\n          for the Department;\n\n      o   The DOE Integrated Payroll/Personnel System (PAY/PERS),\n          which supports both personnel and payroll activities\n          throughout the Department;\n\n      o   The DOE Integrated Security System (DISS), which\n          provides tracking capabilities for security clearances,\n          visitor information for DOE facilities, and security\n          badge accountability;\n\n      o   The Energy Manpower Personnel Resource Information\n          System, which supports the Department\'s human resource\n          management and manpower resource planning, budgeting,\n          and accounting activities; and\n\n      o   The Procurement and Assistance Data System, which\n          provides the Assistant Secretary for Human Resources and\n          Administration with the ability to track and report on\n          procurement and assistance actions throughout the\n          Department.\n\x0c     ITSO had employed various tools and techniques to manage the\nCenter. As part of its computer security program, security soft-\nware was installed on the IBM computer processing the Depart-\nment\'s major application systems. Through use of the security\nsoftware, ITSO had implemented two measures--user identifications\n(userid) and passwords--intended to protect these applications\nfrom unauthorized access, fraud, and abuse. In addition, a tape\nmanagement system was installed to manage and report on magnetic\nmedia (i.e., tape reels and cartridges). In May 1992, ITSO\nconducted a risk analysis of the Center. In November 1992, ITSO\ndeveloped a disaster recovery plan intended to identify the\nmission essential applications that should be maintained if the\nCenter\'s operations were unexpectedly interrupted.\n\nOBSERVATIONS AND CONCLUSIONS\n\n     Weaknesses existed in the computer security program at the\nCenter that increased the risk of unauthorized disclosure or loss\nof sensitive data. Specifically, we found that (1) access to\nsensitive data was not limited to individuals who had a need for\nthe information, and (2) accurate and complete information was\nnot maintained on the inventory of tapes at the Center. Further-\nmore, the risk of unauthorized disclosure and loss of sensitive\ndata was increased because other controls, such as physical\nsecurity, had not been adequately implemented at the Center. For\nexample, a disaster recovery plan had not been fully implemented\nto mitigate the consequences caused by an unexpected loss of\ncomputer systems and data that support critical Department\noperations.\n\n     These weaknesses existed because ITSO had not fully\nperformed an assessment of risk at the Center and the controls in\nplace to mitigate these risks, and computer security officers did\nnot adequately monitor activities on the unclassified computer\nsystem in accordance with computer security requirements. The\nweaknesses in general controls over computer security of the\nCenter\'s unclassified system increased the risk of unauthorized\ndisclosure and/or loss of sensitive data, and diminished the\nreliability of the Department\'s financial management information\nthat resides at the Center.\n\n     During our audit, positive steps were taken to improve the\nunclassified computer security program at the Center. Management\ntook action to (1) reduce the number of user accounts with broad\naccess privileges and (2) validate access to tape data sets\nthrough implementation of the security software feature.\nControls were instituted to ensure that the tape management\nsystem accurately reflected the disposition of magnetic media.\nIn addition, management took action to reduce the number of\npersons who had unrestricted physical access to the Center,\nincluding the tape library housing sensitive data.\n\n     Individually, the computer security weaknesses identified in\nthis report may not represent material deficiencies in the\nCenter\'s computer security program. However, when considered\ntogether, they represent internal control weaknesses that should\n\x0cbe considered by management when preparing its yearend assurance\nmemorandum on internal controls.\n                              PART II\n\n                       FINDING AND RECOMMENDATIONS\n\n               Unclassified Computer Security Program at a\n                   DOE Headquarters Computing Facility\n\nFINDING\n\n     An effective computer security program requires the\ndevelopment and implementation of adequate controls to ensure\nthat sensitive data processed on computer systems is protected\nfrom unauthorized disclosure and/or loss and that potential risks\nrelating to this data are identified and mitigated to the extent\npractical. Weaknesses existed in the Center\'s unclassified\ncomputer security program that increased the risk of unauthorized\ndisclosure or loss of sensitive data. These weaknesses occurred\nbecause (1) ITSO had not fully performed an assessment of risks\non the unclassified computer system and the controls in place to\nmitigate those risks, and (2) computer security officers did not\nadequately monitor activities on the unclassified computer system\nin accordance with computer security requirements. Weaknesses in\ngeneral controls over the computer security of the Department\'s\nunclassified system increased the risk of unauthorized disclosure\nand/or loss of sensitive data, and diminished the reliability of\nthe Department\'s financial information.\n\nRECOMMENDATIONS\n\n     We recommend that the Deputy Assistant Secretary for\nInformation Management:\n\n     1.   Conduct a comprehensive risk analysis of the Center to\n          assess the unclassified system\'s unique risks, as well\n          as the adequacy of the administrative, technical, and\n          physical controls to mitigate those risks and to protect\n          sensitive data.\n\n     2.   Ensure that security officers monitor activities on the\n          unclassified system and in the program, and take\n          appropriate actions to bring the program into compliance\n          with sound data processing practices, especially to\n\n          a.   limit access authorization for the unclassified\n               computer system to only those computer programs and\n               data that individuals need to perform their duties\n               and periodically review these authorizations to\n               ensure that they remain appropriate;\n\n          b.   reflect the accurate location and disposition of\n               magnetic media in the tape management system;\n\n          c.   document changes to operating system software;\n\n          d.   provide adequate physical security safeguards to\n\x0c              limit access to computing resources and protect\n              against fire; and\n\n         e.   fully implement an up-to-date disaster recovery plan\n              for the Center to mitigate the consequences caused\n              by an unexpected loss of use of computer systems and\n              data.\n\nMANAGEMENT REACTION\n\n     Management agreed, in principle, with our audit finding and\nrecommendations, and identified actions planned or implemented to\nimprove computer security at the Center. See Part III of this\nreport for further discussion of management\'s comments.\n\n                       DETAILS OF FINDING\n\nGUIDANCE FOR COMPUTER SECURITY\n\n     An effective computer security program requires the\ndevelopment and implementation of adequate controls to ensure\nthat sensitive data processed on computer systems is protected\nfrom unauthorized disclosure and/or loss, and that potential\nrisks relating to this data are identified and mitigated to the\nextent practical. Guidance on the controls to be implemented by\nFederal and Departmental organizations are set forth in various\ndocuments issued by the Congress, the National Institute of\nStandards and Technology (NIST), the Office of Management and\nBudget (OMB), and the Department.\n\n      The Computer Security Act of 1987 (Public Law 100-235) was\npassed by the Congress to improve security over sensitive Federal\ncomputer systems. The Act assigns responsibility to NIST for\ndeveloping standards and guidelines needed to ensure the\ncost-effective security and privacy of sensitive information in\nFederal computer systems. NIST has issued Federal Information\nProcessing Standards (FIPS Pubs) as guidance to Federal agencies\nin the management and security of Federal automated information\nsystems. FIPS Pubs containing guidance for computer security\nissues include FIPS Pub 31, "Guidelines for Automatic Data\nProcessing Physical Security and Risk Management," issued June\n1974; FIPS Pub 65, "Guidelines for Automatic Data Processing Risk\nAnalysis," issued August 1, 1979; FIPS Pub 73, "Guidelines for\nSecurity of Computer Applications," issued June 30, 1980; FIPS\nPub 87, "Guidelines for ADP Contingency Planning," issued March\n27, 1981; and FIPS Pub 112, "Password Usage," issued May 30,\n1985.\n\n     OMB Circular A-130, Appendix III, "Security of Federal\nAutomated Information Systems," establishes a minimum set of\ncontrols to be included in Federal automated information systems\nsecurity programs. This Circular states that agencies shall\nassure an adequate level of security for all agency information\nsystems, whether maintained in-house or commercially, and shall\nimplement and maintain a computer security program, including the\npreparation of policies, standards, and procedures. OMB Bulletin\n90-08, "Guidance for Preparation of Security Plans for Federal\n\x0cComputer Systems That Contain Sensitive Information," also\nprovides guidance to Federal agencies on computer security\nplanning activities required by the Computer Security Act of\n1987.\n\n     Departmental policies and procedures governing unclassified\ncomputer security are addressed in DOE Order 1360.2B,\n"Unclassified Computer Security Program." This Order establishes\nrequirements, policies, responsibilities, and procedures for\ndeveloping, implementing, and sustaining an unclassified computer\nsecurity program. For example, the Order states that DOE\nmanagers are required to designate an individual to be the\nComputer Protection Program Manager (CPPM). The CPPM may\ndesignate assistant CPPMs to accomplish specific security\nresponsibilities. The Order further states that the CPPM shall\nimplement and administer a management control process to ensure\nthat appropriate administrative, technical, physical, and\npersonnel protection measures are incorporated into all new and\noperational unclassified computer systems. The Order also states\nthat the CPPM shall develop and implement procedures establishing\ncontrols designed to prevent misuse and abuse of unclassified\ncomputer resources.\n\nWEAKNESSES IN THE COMPUTER SECURITY PROGRAM AT THE CENTER\n\n      Weaknesses existed in the Center\'s unclassified computer\nsecurity program that increased the risk of unauthorized\ndisclosure or loss of sensitive data. Specifically, we found\nthat (1) access to sensitive data was not limited to individuals\nwho had a need for the information, and (2) accurate and complete\ninformation was not maintained on the inventory of tapes at the\nCenter. Other controls, such as physical security, had not been\nadequately implemented to protect sensitive data and computing\nresources.\n\nSystem Access\n\n     ITSO\'s computer security program did not ensure that access\nto sensitive data was limited to individuals who had a need for\nthe information. Specifically, we found that:\n\n     o   Computer support personnel had broad system access\n         privileges which allowed them access to operating and\n         application system files, as well as sensitive data sets.\n         Such broad access privileges exceeded that which the\n         individuals typically needed to perform their job\n         functions, and increased the risk that an individual\n         could copy, modify, or destroy any data set in the\n         system, or create or change access rules and execute\n         restricted programs.\n\n     o   Non-unique identifiers were established that allowed\n         unlimited access to the unclassified system. Such broad\n         access through non-unique identifiers increased the risk\n         that an individual could copy, modify, or destroy any\n         data set in the system, or access restricted programs\n         without being detected and having their access privilege\n\x0c             revoked.\n\n        o    Terminated contractor employees maintained access\n             privileges.\n\n        o    Access privileges were maintained for inactive user\n             accounts that had not been accessed in over 6 months.\n\n        o    Individuals were using other people\'s passwords for\n             convenience.\n\n     We found that technical safeguards were not in place that\nwould lessen the risk of unauthorized disclosure of sensitive\ndata. Access to data sets on tape was not validated by the\nsecurity software. Batch jobs did not have to be validated by\nthe security software to ensure that the user was authorized to\ncarry out this function. Users were also allowed to enter the\nsystem through batch processing without providing a password.\n\nTape Management\n\n     ITSO did not maintain accurate and complete information on\nthe inventory of tapes at the Center. As of March 7, 1995, the\nCenter\'s tape management system showed there were about 14,500\nreels of tape. However, we observed on March 8, 1995, that the\nCenter had only approximately 1,900 reels of tape in its inven-\ntory. According to Center personnel, (1) the tape management\nsystem was not being modified to reflect the degaussing and\ndestruction of tapes; (2) documentation was not being maintained\non destroyed tapes; and (3) there was no formal inventory\nperformed of tapes.\n\nOther Controls\n\n      Other controls had not been adequately implemented at the\nCenter. These conditions increased the risk of unauthorized\ndisclosure and/or loss of sensitive data. Specifically, we found\nthat:\n\n    o       Weaknesses existed in the management and use of the\n            computer operating system. An ITSO official acknowledged\n            that they did not fully document the changes made to\n            system software. In the operating system, we identified\n            19 commands and 5 programs that were unrecognized on the\n            listing of authorized operating system entries. Authori-\n            zation for operating system commands and programs is\n            critical because entries can be used to bypass system\n            validity checks and security.\n\n    o       Physical security measures did not adequately limit access\n            to computing resources or fully protect against fire.\n            Contrary to Federal guidance, various persons who should\n            not have had access to the tape library held card keys,\n            including sixteen systems programmers. Although the room\n            adjacent to the Center was used to store combustible\n            materials such as paper and office supplies, it did not\n            have a smoke detection system.\n\x0c    o   Although ITSO had a disaster recovery plan, it had not\n        been fully implemented to mitigate the damaging potential\n        consequences caused by the unexpected loss of use of\n        computer systems and data that support critical Depart-\n        mental operations. Backup tapes for all data and programs\n        necessary to continue operations were not maintained at an\n        offsite storage facility. In its November 1992 disaster\n        recovery plan, ITSO designated 14 application systems as\n        "mission-essential." According to ITSO records, backup\n        tapes were stored off-site for only 6 of these applica-\n        tions. Furthermore, a complete set of documentation for\n        each mission critical application was not kept in an\n        off-site storage facility in order to facilitate its\n        retrieval in case of need. In September 1994, ITSO\n        negotiated a formal agreement for disaster recovery\n        services for its mainframe and minicomputers. According\n        to management, a test of the plan will be conducted in\n        September 1995 to ensure that appropriate steps have been\n        taken to provide for contingency operations should the\n        Center be unable to operate.\n\n     We also noted that computer operator intervention was not\nrestricted during the operating system initialization process.\nThe acting Center manager told us that computer operator\nintervention was needed to facilitate proper maintenance of the\nCenter\'s computers. However, he agreed that the risk of\ninappropriate activity could be reduced by reviews of the access\nactivities of these employees.\n\n%PAGES\nREASONS FOR WEAKNESSES IN THE COMPUTER SECURITY PROGRAM\n\n     The weaknesses in the computer security program at the\nCenter occurred because (1) ITSO had not fully performed an\n%PAGEE\nassessment of risks on the unclassified computer system and the\ncontrols in place to mitigate those risks, and (2) computer\nsecurity officers did not adequately monitor activities on the\nunclassified computer system in accordance with computer security\nrequirements.\n\nSecurity Planning\n\n     ITSO had not fully performed an assessment of the risk of\nunauthorized disclosure or loss of sensitive data and the\ncontrols in place to mitigate such risks on the unclassified\nsystem. DOE Order 1360.2B, "Unclassified Computer Security\nProgram," requires that the applicable Computer Protection\nProgram Manager formulate a computer protection plan. The plan\nmust be kept current and include certain elements, such as (1) a\nsummary of the management control process describing the admini-\nstrative, technical, and personnel safeguards employed at the\nsite; (2) reference to lists that identify unclassified computer\napplications that process sensitive information, the owners of\nsuch applications, and the unclassified computer systems which\nprovide processing support; and (3) reference to schedules\n\x0cindicating planned and completed risk assessments.\n\n     Although ITSO had developed a computer protection plan, it\nhad not conducted a comprehensive risk assessment of the\nunclassified system in order to identify the unique risks that\nexisted with the system. Furthermore, the plan did not\nadequately cover the technical and physical safeguards employed\nto mitigate these unique risks and protect the sensitive data at\nthe Center.\n\nSecurity Management\n\n     Officials assigned to carry out computer security functions\nwere not adequately monitoring activities on the unclassified\ncomputer system at the Center. The Headquarters\' Computer\nProtection Plan assigns responsibility to the CPPM for developing\nand managing the Headquarters computer protection program.\nAssistant CPPMs are assigned to assist the CPPM in implementing\nthe program. The Plan required security officers to ensure the\nimplementation of a continuous audit, monitoring and review\nprocess to identify waste, fraud, abuse and unauthorized activity\nin the access and use of computer resources.\n\n    While a review process was implemented, it was not sufficient\nfor monitoring activities on the unclassified system. The formal\nreport on system activities highlighted unsuccessful attempts to\naccess the system. However, security officials told us that they\ndid not routinely conduct formal monitoring or reporting of\nsystem activities, such as reviewing the actions of individuals\ngranted broad system access privileges.\n\n%PAGES\nIMPACT OF WEAKNESSES\n\n     Weaknesses in general controls over the computer security of\nthe Department\'s unclassified system increased the risk of\n%PAGEE unauthorized disclosure and/or loss of sensitive data and\ndiminished the reliability of the Department\'s financial\nmanagement information. In particular, the access allowed for\nterminated contract employees and the existence of non-unique\nidentifiers on the unclassified system heightened the opportunity\nfor unauthorized use, and diminished security officers\' ability\nto identify who had gained access to what data. Additionally,\nthe inaccurate accounting for tapes increased the opportunity for\nloss of data. Computer operations were also at risk because ITSO\nhad not taken the steps to ensure that computer support for\ncritical mission activities could be continued should disasters\nor major service disruptions occur.\n\n     Individually, the computer security weaknesses identified in\nthis report may not represent material deficiencies in the\nCenter\'s computer security program. However, the weaknesses\nidentified, collectively, provide an environment in which\nindividuals could exploit those weaknesses to obtain unauthorized\naccess to sensitive data, including that for many of the Depart-\nment\'s major financial management systems.\n                             PART III\n\x0c                      MANAGEMENT AND AUDITOR COMMENTS\n\n     Management agreed, in principle, with our audit finding and\nrecommendations, and identified corrective actions planned or\nimplemented to improve computer security at the Center.\n\nRecommendation 1.\n\n     Management Comments. Management indicated that a risk\nassessment, as defined by DOE Order 1360.2B, was performed on the\ncomputer installation of which the unclassified processor is a\npart. Because of their co-location, management believed that the\nunclassified processors enjoyed a majority of the same admini-\nstrative, technical, and physical controls afforded to the\nclassified processor. However, a risk assessment will be\nperformed of the unclassified system as part of the process of\nreaccreditation of the classified processor. This process will\ninclude a review of physical security controls, technical\nsafeguards and administrative controls as these pertain to the\nunclassified operating system based environment, and should be\ncompleted by December 1995.\n\n     Auditor Comments.     Management\'s comments are responsive to\nour recommendation.\n\nRecommendation 2.a.\n\n     Management Comments. Management identified a number of\nactions planned or taken to improve system access controls. The\nnumber of user accounts with broad access privileges has been\nreduced, and access to tape data sets through implementation of\nthe security software feature is now validated. Also, a process\nof removing generalized, non-privileged access to the\nunclassified processors, where an access ID has not been used for\n15 consecutive months, will be initiated. This process will be\nfully operational by October 1995. Management further stated\nthat a refined access monitoring and reporting is currently being\nengineered. This process will concentrate on monitoring and\nreporting the data access of the personnel with privileged access\nauthorities. This refined monitoring and report process should\nbe fully operational by November 1995. Management also noted\nthat users of the unclassified processors will be reminded\nannually that the use of their access ID and password combination\nshould be controlled and not shared with other users.\n\n     Auditor Comments.     Management\'s comments are responsive to\nour recommendation.\n\n%PAGES\nRecommendation 2.b.\n\n     Management Comments. Management     indicated that a number of\nactions have been planned or taken to    improve the tape management\n%PAGEE\nsystem. In June 1995, the system was     modified to clearly\nidentify the disposition of destroyed    tapes. An engineering\n\x0ceffort, scheduled for completion by August 1995, is being\nperformed to affect the recording within the tape management\nsystem of the media stored offsite. Also, an inventory\nmethodology, based upon exceptions, will be developed and fully\noperational by October 1995. This methodology will employ\ncontrols within both the "Tape Robotics and Tape Management\nSystems" to report discrepancies between the media stored\noffsite, the locations of all known media and any differences\n(i.e., missing media) between these two known entities.\n\n     Auditor Comments.   Management\'s comments are responsive to\nour recommendation.\n\nRecommendation 2.c.\n\n     Management Comments. In its comments, management stated\nthat several locally authorized and developed commands as well as\nutility functions had been introduced into the operating system.\nThese commands and utility functions will be fully identified and\ndocumented by December 1995. Management also stated that other\nspecific anomalies within the operating system will be evaluated\nfor their effect on computer security and corrected as necessary\nto reinforce computer security controls.\n\n     Auditor Comments. Management\'s comments on planned actions\nappear to be responsive to our recommendation.\n\nRecommendation 2.d.\n\n     Management Comments. In its comments, management expressed\nthe belief that the Center is adequately protected against fire\nand has limited physical access due to the safeguards and\ncountermeasures employed for the classified processor. However,\nin April 1995, management took action to request a smoke detector\nfor the room, which was used to store combustible materials,\nadjacent to the Center. In June 1995, management completed a\nreview of the current card key system to ensure that individuals\nwith physical access needed such access in order to carry out\ntheir duties and responsibilities. Subsequent action was taken\nto reduce the number of individuals with unrestricted access to\nthe Center.\n\n     Auditor Comments. Management comments on actions taken are\nresponsive to our recommendation.\n\n%PAGES\nRecommendation 2.e.\n\n     Management Comments. In its comments, management noted that\nthe Center had a disaster recovery plan which addressed the\n%PAGEE\nissues raised in our report, and that the plan was continually in\nthe process of being updated. They also pointed out that a con-\ntract was initiated in September 1994 to provide "hot site"\ndisaster recovery services from a contractor. According to\nmanagement, this plan will be tested in September 1995.\nManagement stated that they are "partnering" with the owners of\n\x0cthe fourteen "mission essential" application systems to obtain\ntheir participation in disaster recovery preparedness. In\naddition, every attempt will be made to have backup files and\ndocumentation for all the "mission essential" application systems\nin effect by January 1, 1996.\n\n     Auditor Comments. Management\'s comments are responsive to\nour recommendation. We have also amended our report to reflect\nthe awarding of a contract for a "hot-site".\n\n                                                        IG Report No. AP-B-95-02\n\n\n                        CUSTOMER RESPONSE FORM\n\n     The Office of Inspector General has a continuing interest in\nimproving the usefulness of its products. We wish to make\nour reports as responsive as possible to our customers\'\nrequirements, and therefore ask that you consider sharing\nyour thoughts with us. On the back of this form, you may\nsuggest improvements to enhance the effectiveness of future\nreports. Please include answers to the following questions\nif they are applicable to you:\n\n     1.   What additional background information about the se-\nlection, scheduling, scope, or procedures of the audit\nor inspection would have been helpful to the reader in\nunderstanding this report?\n\n     2.   What additional information related to findings and\nrecommendations could have been included in this report\nto assist management in implementing corrective ac-\ntions?\n\n     3.   What format, stylistic, or organizational changes might\nhave made this report\'s overall message more clear to\nthe reader?\n\n     4.   What additional actions could the Office of Inspector\nGeneral have taken on the issues discussed in this\nreport which would have been helpful?\n\n     Please include your name and telephone number so that we may\ncontact you\nshould we have any questions about your comments.\n\n     Name                                        Date\n\n     Telephone                                   Organization\n\n     When you have completed this form, you may telefax it to the\nOffice of Inspector General at (202) 586D0948, or you may\nmail it to:\n\n            Office of Inspector General (IG-1)\n            Department of Energy\n            Washington, D.C. 20585\n\x0c          ATTN: Customer Relations\n\n     If you wish to discuss this report or your comments with a\nstaff member of the Office of Inspector General, please\ncontact Rob Jacques at (202) 586D3223.\n\x0c'